Cookie management thought active opt-in
While the detailed content of the e-Privacy Regulation is being debated and lobbied within the EU, the Court of Justice of the European Union (ECJ) made a noteworthy ruling on 1 October 2019 in the so called Planet49 -case (press release). The ruling provides some much-needed certainty on how the ‘cookie banner’ and ‘cookie consent’ provisions in the ePrivacy Directive should be applied and interpreted within the context of the GDPR. The ECJ clarified that the ePrivacy regime protects both personal and non-personal data. Moreover, the court ruled that people must actively give a consent to companies before cookies that track their internet browsing are deployed (a check a box by default does not suffice). Another important takeaway from the ruling is that companies should adopt specific measures in order to categorize the cookies which they use on their website. As many experts believe, the ruling could provide the needed legal certainty that boosts the legislative efforts to adopt the proposed ePrivacy Regulation.
EU authorities have already imposed fines due to insufficient fulfilment of information obligations and insufficient legal basis for data processing in terms of cookie management on websites. Therefore, it can be argued that a trend for 2020 is that the cookie consent management of business websites is under scrutiny within the EU.
It can be concluded that businesses which deploy cookies on their websites should consider reviewing their privacy policies, cookie policies, banners and relevant technical aspects of cookie management. The impact of these requirements can already be seen in many websites as businesses have reviewed their cookie management.
Transfer of data to third countries
Invalidation of the EU-US Data Protection Shield with the judgement in case C-311/18 (press release) is another key trend for 2020. The European Union Court of Justice (CJEU) judgment highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. The CJEU invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the CJEU considers Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries valid.
While the SCCs remain valid, the CJEU underlines the need to ensure that the third countries where data is transferred maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer.
Even though the implications of the resolution are still under scrutiny, it is recommended that businesses which transfer data to third countries review under which framework they are transferring data and take measures if needed to comply with the new requirements.
Legislative initiatives regarding privacy and personal data outside of the EU (from CCPA to Chinese Cybersecurity Law)
California Consumer Privacy Act (CCPA) regulates processing of personal information in California and it is the first law of its kind in the USA. It gives California residents similar, but in many ways different rights when compared to the GDPR. As of July 2020, businesses that do business in California should comply with the CCPA and, although not explicitly mentioned, the CCPA appears to be applicable to a business established outside of California if they collect or sell personal information of California consumers while conducting business in California. In practice you may have seen the impact of CCPA when companies have updated the cookie banners on their websites, privacy policies or inserted a “do not sell my information” -option on their websites in order to comply with CCPA.
China’s stance on data protection has historically been filled with controversies and skepticism as assumptions have been made that personal data in China is unrestricted therefore causing a lack of privacy protection and giving an edge to Chinese companies in the field of innovation. However, recent development shows that China gradually builds a data privacy system through the legal transplantation of both the EU and the US models. In April 2020, the Cyberspace Administration of China among other government agencies jointly released the final version of the Measures on Cybersecurity Review. This shows us that China is further tightening regulations around data protection and keeps increasing legislation within the field of privacy as it initiated with the China’s Cybersecurity Law (CSL).
The aforementioned legislative efforts demonstrate the trend of increasing legislation in terms of privacy and personal data outside of the EU. Therefore, companies which are engaged in business outside of the EU should bear in mind the evolvement of privacy and personal data legislation in non-EU countries.
As discussed in this article the current trends in terms of personal data and website management may require companies to review their compliance with the new requirements. If you are considering whether or not your business is affected by these trends do not hesitate to contact. Proactivity is key when considering the need to update policies, notices, banners and consent mechanisms (especially for cookies) as inspections related to compliance with e-Privacy and data protection laws clearly apply to all companies within the EU, no matter the size.
Associate Lauri Nieminen and Associate Anssi Ihatsu